I have remote access via LogMeIn to the server at this location, then I use VNC to connect to the workstation. This happens sporadically, and we're unable to replicate it at-will.
Here is a video I recorded with my iPhone; http://files.snapfizzle.com/vid/erratic-cursor.mov
7z @ http://files.snapfizzle.com/vid/erratic-cursor.7z (www.7-zip.org)
This computer is a Dell Optiplex 745 and serves as a POS station for our proprietary POS software.
Hardware we've replaced thus far;
-USB keyboard & mouse (also tried PS/2)
-Peripherals; receipt printer & cable (parallel), RS-232 IR dongle, USB magnetic card reader
Software solutions attempted;
-Disable mouse in DevMan (device manager)
-Unplug mouse & keyboard (ran without for a week)
-Disable touchscreen driver in DevMan
-Uninstall ELO touchscreen driver (ran without for a week)
-Reflash current Dell BIOS (2.4.6 dated 3/1/10)
3rd party software suites attempted;
-AdAware: Found something and quarantined it, unable to provide details as it's been deleted and thus removed from the active log.
-MBAM (MalwareBytes Anti-Malware): nothing found
-HTJ (HiJackThis): current log @ http://pastebin.com/1xtGwLMP // startup log @ http://pastebin.com/pe4hBx1x
-ComboFix: log @ http://pastebin.com/h55UVvxm
-Symantec Endpoint: nothing found, ever.
-cmd>tasklist /svc @ http://pastebin.com/sCAGbJV6
-new cmd>tasklist /svc @ http://pastebin.com/uc1yR4yN
Update 1: All workstations are identical, we've even taken a ghost image from POS1 and pushed it to this station (POS3). After finding the flaky hosts file on POS3, I of course cleared it out to the XP default. I then looked at all other workstations, and sure enough POS1 had the flaky hosts file as well, which I cleared.
For the record, POS1 has never exhibited this behavior.
Update 2: Every workstation has VNC installed as a server only and enabled (not NT authentication, just VNC auth).
The customer called and I took that video while using LogMeIn to access the server, then VNC to access the POS.
RDP is also enabled, and use of either of these items have no effect on the issue.
Update 3: The video card is an ATI x1300. We're using the latest video driver from Dell for the computer model (Optiplex 745). We have also tried the latest catalyst drivers from AMD/ATI.
Update 4: The odd entries in the hosts file were created by Spybot S&D so if malware was installed, it wouldn't be able to contact it's server.
Update 5: Most recent occurrence 2011.08.04 @ 9:15am PT~.
Edited by hamluis, 04 August 2011 - 12:29 PM.
Moved from Am I Infected to Malware Removal Logs.